More bad passwords revealed in Gawker hack

Are people getting any smarter about password protection?

By Michael Hardy

Dec 14, 2010

Have we learned nothing from rockyou.com?

You may recall that earlier this year, security firm Imperva analyzed 32 million passwords that a hacker stole from an application developer called rockyou.com and found that many people were using simple ones, including "password," "rockyou" (the name of the site) and strings of sequential numbers.

Now hackers have once again stolen and posted passwords, this time from Gawker and its related sites, including Gizmodo and Lifehacker.

The most common password, according to a Wall Street Journal analysis of the data dump: "123456," used by more than 3,000 registered Gawker users.

After that:

password 12345678lifehack (a variation of one of the site names)qwertyabc123111111monkeyconsumer123450letmeintrustno1 (Fox Mulder's password on "The X Files," and he should have known better.)

The WSJ has 50 top passwords from this latest hack, and a detailed analysis.

Security experts recommend people use "strong" passwords, generally defined to be randomized strings of letters, numbers and symbols, with some letters capitalized, not based on any words with personal significance (don't use your dog's name or child's college name, for example). And they also recommend that you have a different password for every site that requires one, change them often, and never write them down.

Most ordinary people find this advice to be laughably unrealistic -- creating and, more importantly, remembering a couple dozen such strong passwords without writing them down is pretty much impossible. (And for sites where the access is needed only to read and comment on articles, with no payment or personal information stored, many people think complex passwords are superfluous.)

But when we asked our readers, after reporting on the rockyou hack, for tips, we got a few really good ones. Among them:

Open a favorite book to a random page and find a phrase. The phrase becomes the password. You can write down the page and line number safely -- it will look like "73 14," and it's doubtful anybody will know what it means. If someone does figure it out, they'd still have to guess which book.

Memorize your finger movements when you create the password. When you change it, start on a different first key but make the same movements. You end up with a new, unguessable password already stored in your muscle memory.

Combine meaningful phrases and dates with other symbols and codes. One reader told us: " I went to Disney World in 1996, so I start with '96DIsneyworld' (using uppercase for the first two letters). I precede that with two special characters that I always keep the same. Then I precede that with the first letter again in lowercase. That gives me d,,96DIsneyworld.' To avoid using the very same password on all my various accounts, for each one I add a lowercase letter just after the digits that represents the system to me (e.g. 't' for the Timesheet system, 'e' for e-mail). This would give me 'd,,96tDIsneyworld' for my Timesheet password. "

E. Miller of Portland, Ore., recommended making passwords out of stories. "'I walked down Bourbon Street with Sarah in 1992' can be 'bourbon1992Sarah' or many other variations."

The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.